User Accessed Suspicious URL Categories

SymantecProxySG
| mv-expand cs_categories
| where cs_categories has_any ("Suspicious","phishing", "hacking")
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)

triggerOperator: gt
queryFrequency: 1h
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
relevantTechniques:
- T1566
- T1071
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: cs_userdn
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Computer
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: c_ip
query: |
  SymantecProxySG
  | mv-expand cs_categories
  | where cs_categories has_any ("Suspicious","phishing", "hacking")
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)  
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml
queryPeriod: 1h
name: User Accessed Suspicious URL Categories
status: Available
kind: Scheduled
description: |
    'Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.'
id: fb0f4a93-d8ad-4b54-9931-85bdb7550f90
version: 1.0.5
tactics:
- InitialAccess
- CommandAndControl
severity: Medium